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SECTION  1 
SCOPE 


General  Electric  Company's  effort  on  Contract  DNA  001-83-C-0109,  Propagation 
Simulator  Enhancement  Program,  is  now  complete.  This  report  summarizes  the 
achievements  of  this  program,  including  completion  of  the  tasks  specified  in 
the  contract  and  additional  effort  necessary  for  effective  program  execution. 
Figure  1  illustrates  the  major  changes  to  the  Propagation  Simulator  hardware 
which  have  occurred  over  the  last  two  years.  The  simulator  now  stands  ready 
to  support  a  wider  range  of  test  scenarios  with  increased  versatility  and 
convenience,  due  to  the  incorporation  of  a  VAX  11/730  computer.  This  report 
concludes  with  recommendations  for  additional  improvements  which  will  make  the 
propagation  simulator  an  even  more  effective  research  and  development  tool. 


SECTION  2 
TASKS  SPECIFIED 

The  following  paragraphs  summarize  the  work  accomplished  as  specified  in  Tasks 
1  through  9  of  Contract  DNA  001-83-C-0109: 

A.  TASK  1:  AUTOMATIC  MEAN  POWER  PROFILE 

In  order  to  utilize  the  full  dynamic  range  of  the  simulator's  vector 
modulators,  it  is  necessary  to  adjust  attenuators  at  each  delay  line  tap 
to  match  the  marginal  delay  power  density  (MDPD)  profile  corresponding  to 
the  selected  decorrelation  bandwidth  (fo) .  In  the  past,  the  MDPD  profile 
was  computed  off  line  and  attenuator  pads  were  manually  inserted  at  each 
tap.  This  manual  process  was  required  each  time  a  new  fo  was  selected. 

The  simulator's  off-line  data  generation  software  was  modified  to  permit 
automatic  adjustment  of  the  mean  power  at  each  tap.  It  was  found  that  the 
vector  modulators  has  a  dynamic  range  of  approximately  50  dB  rather  than 
40  dB  specified.  With  this  additional  range,  it  was  shown  that  each  of 
the  taps  within  0.6/fo  can  be  commanded  throughout  their  required  40  dB 
range.  Assuming  that  energy  outside  0.6/fo  is  negligible,  the  software 
implementation  was  found  to  be  effective.  Confidence  level.  Chi-square, 
and  Graham-Chari ier  analysis  showed  the  implementation  to  be  consistent 
with  required  Rayleigh  statistics.  it  is  now  possible  to  operate  with  any 
fo  from  630  KHz  to  6.2  MHz  without  manually  changing  the  attenuator  pads 
at  each  delay  line  tap. 


B.  TASK  2;  AVERAGE  POWER  OUTPUT  MEASUREMENT 

This  capability  was  deemed  unnecessary  and  the  task  was  deleted  by 
direction  of  the  Contract  Technical  Monitor. 

C.  TASK  3:  S-BAND  FREQUENCY  TRANSLATOR 

A  frequency  translator  operating  in  the  2.2  GHZ  to  2.3  GHz  band  was 
designed,  fabricated,  and  tested.  This  unit  adapts  the  translator's  700 
MHz  operating  frequency  to  that  required  by  a  specific  user  of  the 
equipment.  Figure  2  is  a  block  diagram  of  the  S-Band  Frequency 
Translator.  It  accepts  high-level  (0  dBm)  or  low-level  (-60  dBm)  inputs, 
and  provides  simultaneous  high-  and  low-level  outputs.  The  simulator's 
built-in  HP-8656A  synthesized  signal  generator  is  used  to  provide  a 
tunable  local  oscillator.  The  S-Band  Frequency  Translator  is  installed  in 
the  RF  rack  adjacent  to  the  IF  Signal  Processor. 

D.  TASK  4:  DELAY  LINE  RACK: 

A  single-bay  rack  containing  48  delay  elements  with  selectable  40  or  80 
nanosecond  spacing  was  designed,  fabricated  and  tested.  The  configuration 
is  similar  to  the  previously  fabricated  delay  line  assembly  which  has  20 
nanosecond  delay  element  spacing.  Sections  of  semi-rigid  coaxial  cable 
are  cut  to  precise  lengths  to  achieve  the  necessary  delay,  and  equalized 
amplifiers  are  used  in  each  section  to  compensate  for  frequency-dependent 
losses  over  the  100  MHZ  passband  of  the  lines.  Figure  3,  which  shows  a 
delay  line  section,  illustrates  the  method  used  to  switch  between  40  and 
80  nanosecond  spacing.  This  switchover  can  be  accomplished  easily  in  the 
field  without  the  need  for  recalibration.  Performance  of  the  delay  line 
assembly  has  been  evaluated  using  an  automatic  network  analyzer.  Figure  4 
is  a  sample  of  test  data  taken.  Net  gain  of  the  entire  48  sections  of 
delay  line,  in  either  the  40  or  80  nanosecond  configuration,  is  O.SdB. 


Figure  2.  S-band  frequency  translator. 
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Figure  3.  Delay  line  reconfiguration. 
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Figure  4,  Delay  line  performance  data. 


E.  TASKS  5-7:  FIELD  SUPPORT 


The  DNA  Propagation  Simulator  was  used  to  conduct  tests  at  Buckley 
National  Guard  Base,  Colorado,  from  July  to  December  1983  and  at  Texas 
Instrumants,  Dallas,  Texas,  from  September  to  December  1984.  Field 
support  provided  at  each  test  site  included  the  following: 

(1)  Initial  meeting  with  users  to  define  test  setups  and  parameters 
and  to  discuss  installation  details. 

(2)  Generation  of  simulation  files  from  test  parameters  supplied  by 
users. 

(3)  Install,  calibrate,  and  checkout  the  simulator  at  the  test  site. 

(4)  Hake  minor  modifications,  as  required,  to  insure  proper 
interfacing  with  user  equipment  under  test. 

(5)  Train  user  personnel  in  simulator  operation. 

(6)  Provide  continual  maintenance  support  of  the  simulator  during  the 
test  period. 

Tests  at  both  the  Colorado  and  Texas  sites  were  successful,  and  the 
simulator  operated  well  throughout  the  test  periods. 

F.  Task  8:  STAND-ALONE  SIMULATOR 

This  task  was  intended  to  eliminate  the  Propagation  Simulator's  dependence 
on  external  computer  equipment.  A  VAX-11/730  computer  system  was 
procurred  and  integrated  with  simulator  to  provide  necessary  processing. 
This  system  includes  a  Model  RUC-25  disk  drive  (52  megabits,  total 
capacity),  a  VT-100  CRT  terminal,  and  a  LA-100  teleprinter.  Software 
programs  formerly  run  on  the  VAX-11/780  time-shared  system  at  General 
Electric  Co,  including  the  CIRF  program,  have  been  transferred  to  the 
VAX-11/730.  Data  communications  between  the  VAX-11/730  and  the 

simulator's  Digital  Controller  can  be  provided  by  a  direct  RS-232 
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interface  cable,  or  alternately,  via  telephone  lines  if  modems  are 
provided. 

G.  TASK  9:  L-BAND  FREQUENCY  TRANSLATOR 

A  frequency  translator  which  enables  the  Propagation  Simulator  to  operate 
with  NAVSTAR  Global  Positioning  System  (GPS)  equipment  was  designed, 
fabricated,  and  tested.  Three  simultaneous  L-band  frequencies  (1227.6MHz, 
1381.05MHz  and  1575.42MHz)  are  translated  to  operate  in  a  50  MHz 
intermediate  frequency  passband  centered  on  the  700  MHz  operating 
frequency  of  the  simulator.  Figure  5  is  a  block  diagram  of  the  L-Band 
translator.  In  operation,  all  three  L-Band  signals  simultaneously 
experience  the  frequency-  selective  fading  channel  characteristics 
developed  by  the  simulator.  The  translator  accepts  inputs  and  provides 
outputs  at  low  level  (-80dBm)  or  high  level  (0  dBm) .  Front  panel 
connectors  are  provided  for  monitoring  input  and  output  signals.  The 
L-Band  Frequency  Translator  is  installed  in  the  RF  Rack  adjacent  to  the  IF 
Signal  Processor. 


Figure  5.  L-band  frequency  translator. 


SECTION  3 

ADDITIONAL  ACCOMPLISHMENTS 


Incidental  to  providing  field  support  and  equipment  modifications  specified  in 
contract  DNA  001-83-C-0109,  additional  effort  was  necessary  to  eliminate 
problems  identified  in  the  field  and  prepare  for  future  support  requirements. 
A  summary  of  these  tasks  is  as  follows: 

A.  SELF-TEST: 

When  the  simulator  was  sent  to  field  sites,  means  for  evaluating  its 
principal  components  was  generally  not  available.  To  solve  this  problem, 
a  Self-Test  firmware  program  was  developed  and  installed  in  the  Digital 
Controller.  Using  only  the  simulator's  internal  test  equipment,  the 
Self-Test  program  measures  the  independent  contribution  of  each  delay  line 
tap  when  the  vector  modulator  I  and  Q  channels  are  driven  into  each  phase 
quadrant.  The  Self-Test  program  evaluates  all  48  taps  in  less  than 
one  hour,  and  provides  a  clear  indication  of  defective  components  such  as 
vector  modulators,  hybrids,  equalizer-  amplifiers,  power  combiners,  and 
digital-to-analog  converters. 

B.  DIGITAL  RACK  RECONFIGURATION: 

With  the  addition  of  the  VAX-ll/730  computer,  the  need  to  make  more 
efficient  use  of  rack  space  became  apparent.  The  Digital  Controller, 
which  formerly  occupied  two  card  cages,  was  reinstalled  in  a  single 
compact  card  cage.  A  new  panel  for  mounting  power  combiners  was 
fabricated  to  provide  better  access  to  connectors  when  performing 
equipment  calibration.  The  power  meter,  signal  generator.  Digital 
controller,  and  combiner  panels  were  mounted  in  a  single  rack. 
Temporarily,  the  original  teleprinter  (Silentwriter  700)  and  diskette 
drive  (Zendex)  have  also  been  installed  in  this  rack.  It  is  therefore 
possible  to  supply  a  two-rack  simulator  configuration  to  the  field  while 
the  VAX-ll/730  remains  in  plant  to  support  additional  software 
enhancements.  When  the  VAX-ll/730  is  shipped  to  the  field  with  the 
simulator,  the  Silentwriter  700  and  Zendex  drive  will  be  eliminated. 
Figure  1  illustrates  the  new  digital  rack  configuration. 


C.  CLASSIFIED  PROCESSING: 

Noting  the  customer's  desire  to  run  the  classified  SIGDAT  program  in  the 
VAX-11/730,  an  investigation  of  related  security  issues  was  conducted. 
Should  it  be  specified  at  a  later  date,  the  steps  required  to  establish 
TEMPEST  protection  have  been  compiled.  Procedural  requirements  for 
classified  processing  have  been  extracted  from  DOD  5220. 22-M  (Security 
Requirements  for  ADP  Systems) ,  and  a  prelimary  outline  for  an  ADP  Standard 
Practice  Procedure  (SPP)  have  been  prepared.  An  SSP  for  the  Propagation 
Simulator  must  be  approved  by  the  Defense  Investigative  Service  before  the 
equipment  can  be  used  for  classified  data  processing  at  a  contractor 
facility.  Appendix  A  (attached  herewith)  addresses  in  detail  the  issues 
associated  with  running  classified  software  on  the  Propagation  Simulator 
computer . 

D.  SOFT  START: 

When  the  simulator  is  used  to  evaluate  a  modem,  the  transients  caused  by 
switching  the  simulator  on  can  cause  the  modem  to  lose  synchronization.  A 
technique  was  developed  and  implemented  which  will  allow  the  simulator  to 
be  activated  during  an  interval  of  minimal  perturbation. 
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SECTION  4 
RECOMMENDATIONS 

Many  new  ideas  for  improving  the  simulator's  effectiveness  have  been  logged 
over  the  last  two  years.  The  following  improvements  are  recommended  because 
they  would  add  substantially  to  the  simulator's  capabilities  while  requiring 
only  a  modest  investment: 

A.  The  Digital  Controller,  which  is  based  upon  the  8086  microprocessor, 
lacks  the  capacity  to  process  multiple  simulation  files.  Providing  the 
Digital  Controller  with  a  new  CPU  board  and  additional  memory  would  remove 
this  hardware  limitation. 

B.  Software  algorithms  for  the  VAX  11/730  are  required  to  handle  multiple 
files.  Special  emphasis  must  be  placed  upon  the  period  of  transition 
between  files  to  prevent  discontinuities  from  adversely  affecting  fading 
statistics. 

C.  A  minor  hardware  change  in  the  IF  Signal  Processor  could  provide  a 
port  for  injecting  a  jamming  signal  from  an  external  source. 

D.  The  additional  capacity  of  the  VAX  11/730  is  available  to  drive  a 
large  number  of  external  test  Instruments  via  the  General  Purpose 
Interface  Bus  (IEEE  488) .  Software  could  be  developed  to  fully  automate 
entire  test  setups. 

E.  A  programmable  attenuator  under  software  control  can  be  added  to  the 
IF  Signal  Processor  to  simulate  atmospheric  absorption  effects. 


APPENDIX  A 

RUNNING  CLASSIFIED  SOFTWARE  ON  THE  DNA 
PROPAGATION  SIMULATOR  COMPUTER 


1.  BACKGROUND 

The  SIGDAT  is  a  program  contained  in  the  technical  report  DNA-IR-82-01 
entitled  "A  Reasonable  Worst  Case  Specification  Of  Nuclear  Disturbed-Radio 
Signals."  T  he  SIGDAT  program  is  written  in  FORTRAN  and  contains  a  data 
base  which  is  classified  SECRET.  The  program  generates  'Xo  and  fo 

parameters,  which  are  unclassified,  for  various  selected  nuclear  event 
scenarios.  In  the  past,  GE  has  been  furnished  (  T^o,  fo)  data  for 

subsequent  unclassified  processing. 

2.  REQUIREMENTS !  The  basic  requirement  is  to  determine  what  steps  must  be 
taken  to  enable  propagation  simulator  users  to  run  the  classified  SIGDAT 
program  on  the  associated  VAX  11/730  computer.  Implicit  in  this 
requirement  is  the  examination  of  physical  security,  TEMPEST,  and 
procedural  issues  which  affect  our  compliance  with  applicable  security 
regulations,  policies, and  guidelines. 

3.  ASSUMPTIONS ;  This  analysis  is  based  upon  the  following  assumptions: 

A.  SIGDAT  is  the  only  classified  program  which  will  be  run  in  this 
equipment. 


B.  The  Propagation  Simulator  will  be  used  only  in  Government  or 
contractor  facilities  having  controlled  access.  (The  test  data  taken  will 
normally  be  classified) . 

C.  NSA  specification  NACSIM  5100B  will  be  the  primary  source  of 
TEMPEST  and  red/black  engineering  criteria. 

D.  DOD  5220. 22-M,  Security  Requirements  for  AD%  Systems,  will  be  the 
primary  source  of  procedural  requirements  for  classified  data  processing. 
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4.  PHYSICAL  SECURITY ;  Measures  must  be  taken  to  prevent  intentional  or 
accidental  removal  of  classified  information  from  the  equipment  by 
physical  means.  The  following  areas  are  susceptable  to  physical 
compromise: 

A.  A  magnetic  tape  cassette  is  used  to  boot  the  VAX-11/730  computer 
during  the  initial  power-up  process.  The  cassette  tape  drive  is  located 
on  the  CPU  front  panel.  This  tape  must  be  removed  from  the  tape  drive 
before  beginning  classified  processing  to  preclude  the  possibility  of 
receiving  and  retaining  classified  information. 

B.  The  RUC25-BA  disk  drive  includes  one  26  MB  fixed  disk. 
Regardless  of  whether  or  not  this  disk  is  addressed  in  the  course  of 
classified  processing,  the  possibility  that  classified  information  could 
be  transferred  to  this  disk  must  be  assumed.  After  classified  processing 
is  complete,  an  erasure  program  specified  in  DOD  5220. 22M  must  be  run  to 
purge  this  disk  of  all  data. 

C.  The  RUC25-BA  disk  drive  includes  one  26  MB  removable  disk 
cartridge.  It  is  assumed  that  the  classified  SIGDAT  program,  and  other 
information,  will  reside  in  this  cartridge.  After  classifed  processing, 
this  cartridge  must  be  removed  from  the  drive  and  stored  in  an  approved 
secure  container.  When  unclassified  processing  is  performed  a  separate 
disk  cartridge  must  be  used. 

D.  The  VAX  11/730  registers/buffers  must  be  cleared  after  classified 
processing.  This  can  be  done  by  briefly  turning  off  AC  power. 

E.  The  hard  copy  output  of  the  teleprinter  associated  with  the 
VAX-11/730  may  include  classified  information  derived  from  the  SIGDAT 
program.  This  paper  must  be  properly  safeguarded. 

F.  The  area  in  which  the  system  is  operated  must  be  properly 
controlled  to  prevent  unauthorized  viewing  and  removal  of  hardware, 
magnetic  media,  and  hardcopy  material  containing  classified  information. 
DOD  5220. 22M  outlines  procedures  for  these  safeguards. 
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5.  SIGNAL  EMANATIONS;  Measures  must  be  taken  to  prevent  the  interception 
of  compromising  emanations  radiated  from  the  hardware  or  conducted  by  its 
power  and  signal  cables.  The  following  areas  are  considered  TEMPEST 
hazzards. 


A.  The  current  VTIOO-AA  terminal  is  not  equipped  with  RFI  shielding 
suitable  for  TEMPEST  protection.  This  CRT  terminal  is  the  source  of  the 
most  severe  radiated  emissions. 

B.  The  current  LAIOO-BA  teleprinter  is  the  next  most  severe  source 
of  radiated/ emissions. 

C.  The  current  housing  for  the  VAX  11/730  CPU  and  RUC  25-BA  disk 
drive  are  not  equipped  with  RFI  shielding  suitable  for  TEMPEST  protection. 
Necessary  protection  can  be  provided  by  installing  this  equipment  in  a 
properly  shielded  enclosure,  and  thoroughly  testing  for  TEMPEST  integrity. 

D.  The  AC  power  cables  serving  the  computer  and  peripheral  equipment 
are  source  of  conducted  emanations.  Installation  of  suitable  filters  can 
reduce  this  vulnerability 

E.  The  signal  cables  connecting  the  VAX-11/730  computer  to  the 
Propagation  Simulator  Digital  Controller  are  used  only  during  unclassified 
data  processing.  They  are  not  required  when  running  the  classified  SIGDAT 
program.  However,  the  possibility  that  classified  information  could  be 
transferred  to  these  cables  must  be  assumed.  If  these  cables  remain  in 
place  during  classified  processing,  then  all  the  Propagation  Simulator 
racks  must  be  considered  to  contain  red  signals  and  thus  be  subject  to 
TEMPEST  considerations.  This  source  of  conducted  emanations  can  be 
eliminated  by  removing  these  cables  during  classified  processing  and 
capping  the  connectors  with  properly  shielded  terminators. 

6.  DEGREES  OF  PROTECTION ;  There  is  no  possibility  of  absolute  protection 
from  hostile  interception  of  compromising  emanations.  Various  degrees  of 
protection  are  feasible,  depending  upon  the  economic  investment  in 
protective  measures.  The  using  agency  should  seek  a  balance  between 
probability  of  intercept  and  cost  for  each  of  the  countermeasures 
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considered.  There  appear  to  be  three  levels  of  TEMPEST  protection  which 
can  be  achieved  for  the  Propogation  Simulator: 

A.  The  lowest  level,  which  may  nevertheless  be  adequate,  entails 
placing  the  existing  equipment  in  a  facility  which  minimizes  the 
possibility  of  signal  interception.  While  complete  RFI  screening  is 
ideal,  other  less  costly  precautions  can  be  taken.  The  equipment  can  be 
placed  as  far  inside  the  controlled  area  as  possible  to  minimize  the 
effectiveness  of  a  ferret  (hostile  interceptor) .  It  is  also  necessary  to 
apply  sound  equipment  grounding  practices.  Security  organizations 
commonly  authorize  SECRET-level  data  processing  in  systems  which  are  not 
TEMPEST  certified. 

B.  The  next  level  of  protection,  requiring  only  a  modest  investment, 
entails  replacing  the  VT  100-AA  terminal  and  LAIOO-BA  teleprinter  with  a 
single  off-the-shelf  TEMPEST-certif ied  teleprinter.  These  units  represent 
substantially  greater  sources  of  radiated  emissions  than  the  computer 
itself.  A  variety  of  suitable  teleprinters  are  cited  in  NSA's  listing  of 
preferred  TEMPEST  products. 

C.  The  highest  level  of  protection,  requiring  a  substantial 
expenditure  for  hardware  and  testing,  is  obtained  by  installing  the 
VAX-11/730  and  RUC25-BA  in  a  special  shielded  cabinet  as  well  as  providing 
a  TEMPEST-certif ied  teleprinter.  The  nonrecurring  engineering  and 
testing  expenses  for  achieving  a  certifiable  TEMPEST  system  could 
conceivably  exceed  the  cost  of  a  new  TEMPEST-certif ied  system  from  the 
computer  vendor.  This  approach  attempts  to  render  the  system  invulnerable 
to  interception  independently  of  any  protection  the  facility  might 
provide . 

7.  ADP  STANDARD  PRACTICE  PROCEDURE ;  The  defense  investigative  service 
(DIS)  is  responsible  for  establishing  and  enforcing  security  requirements 
at  the  facilities  of  defense  contractors.  Before  classified  software  can 
be  run  in  a  computer,  the  contractor  must  have  an  ADP  Standard  Practiced 
Procedure  (SPP)  prescribed  by  DOD  5220. 22-M  and  approved  by  DIS.  Appendix 
B  is  an  outline  for  preparing  an  SPP.  A  separate  SPP  is  required  for  each 
computer  system  so  used.  Normally  an  SPP  is  written  for  a  specific 


facility,  but  with  DIS  approval,  it  should  be  possible  to  prepare  a  plan 
sufficiently  general  to  be  applicable  to  any  contractor's  plant. 

8.  MILITARY  SECURITY  REQUIREMENTS :  When  the  simulator  is  shipped  to 
military  installation  and  classified  processing  is  required,  authorization 
from  the  security  organization  serving  that  activity  will  be  required. 
The  DIS-approved  SPP  may  be  accepted  by  the  organization,  but  coordination 
well  in  advance  of  the  scheduled  test  support  is  essential. 
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Figure  6.  Tempest  protection  for  propagation 
simulator  computer. 


APPENDIX  B 

OUTLINE  FOR  ADP  STANDARD  PRACTICE  PROCEDURE 


IDENTIFICATION 

Contractor  facility  name,  address,  and  Federal  Supply  Code  Number. 

General  description  of  computer  system  (s)  used  for  classified  processing 
(i.e.,  system  name,  manufacturer,  model,  type,  etc.). 

Physical  location  of  central  computer  facility  (i.e.,  complex,  building, 
level,  area,  post,  room,  etc.). 

Name  (s)  and  telephone  number  (s)  of  ADP  system  security  supervisor  and 
ADP  system  security  custodian  (s) .  (Para  103c) 

ADP  system  security  mode  of  operation.  (Para  112c (1) 

Highest  level  of  classified  information  processed. 

SUMMARY  OF  SYSTEM  USAGE  (Para  112c(5) (b) ) 

Classified  use  or  purpose  of  system  (i.e.,  word  processing,  graphics 
display,  real-time  calibration, simulation,  etc.).  Indicate  local  and 
remote  utilization  capabilities. 

Approximate  percentage  of  total  system  utilization  used  for  classified 
processing. 

Hours/shifts  of  system  operation,  and  hours/shifts  when  classified 
processing  may  occur. 

Run  schedule  mix  during  classified  processing,  i.e.,  what  classified/ 
unclassified  applications  processed  concurrently. 

Type  and  general  uses  of  storage  and  input/output  media  used  during 
classified  processing.  Indicate  highest  security  classification  of 
each. 

Glossary  of  frequently  used  terms  and  acronyms  related  to  the  system 
or  facility. 

HARDWARE  (PARA  112C(3) ) 

List  all  system  equipment  (local  and  remote) ,  including  memory  storage 
units,  by  device  name,  model,  manufacturer,  and  serial  number. 


if  appropriate. 

Identify  those  devices  used  during  classified  processing  periods. 

Diagram  (s)  or  floor  plan  (s)  indicating  placement  of  above  equipment  in 
the  facility  (identify  building,  area,  room,  etc.). 

Schematic  diagram  of  hardware  configuration  and  equipment  interfaces 
(l.e.,  cable  connections,  channel  assignments,  etc.). 

Channel  assignments  for  subsystem  and  peripheral  equipment. 

Disconnect  methods  (i.e.,  logical,  physical,  system  generation,  etc.)  for 
peripheral  and  shared  devices  not  used  during  classified  processing. 
Switching  devices,  not  included  in  equipment  described  above,  for 
channels,  peripheral  devices  and  remote  terminals. 

If  patch  boards  used  in  classified  processing,  how  used  and  protected 
(also  patch  board  diagrams) . 

SOFTWARE  (Para  112c(3) ) 

Operating  System  (0/S) 

Name  and  release  level  of  dedicated,  protected  0/S  used  for  classified 
processing. 

Specify  whether  0/S  is  standard  or  locally  modified.  If  modifications 
affect  security  features  of  the  O/S  briefly  describe.  (Para  112c(5) (d) 
Who  maintains  and  generates  the  0/S?  Are  recertification  tests 
conducted  periodically,  after  system  malfunctions,  and  after  scheduled/ 
unscheduled  hardware  or  software  maintenance/modification?  Are  program 
changes  controlled,  recorded,  approved  and  tested  by  responsible 
authority? 

Describe  test  and  verification  procedures.  (Para  112c (5) (h) 

0/S  logging  features  used  during  classified  processing  periods. 
Security/protective  features  available  in  the  0/S  (i.e.,  memory 
protection,  passwords,  user/privilege  mode,  file  protect,  read/write 
protect,  etc.).  Indicate  those  features  used  during  classified 
processing  periods. 

Control  and  clearing  procedures  for  "paging”  (virtual  storage) . 

If  "checkpoint  restart"  used  during  classified  processing,  how 
checkpoints  protected?  Checkpoint  values  purged  when  no  longer  of  value? 
Can  application  programs  access  the  checkpoint  file? 


Application  Software  (classified  processing) 

Generation,  maintenance,  testing,  documentation  and  control  of 
classified  application  programs.  (Para  112c(5) (h) 

Security  enhancements  written  into  application  programs  and  programs 
developed  to  supplement  security/protective  features  of  the  0/S. 

(para  112c(5) (d) 

To  what  extent,  under  what  conditions,  and  from  which  locations  is 
interactive  programming/debugging  allowed. 

Programming  logic  employed  for  logical  disconnects,  redundancy  checks, 
and  external  verifications. 

Programming  languages  used. 

TELEPROCESSING 

Total  teleprocessing  system  (s)  employed.  For  those  systems  not  used 
during  classified  processing,  indicate  disconnect  method (s) .  (Para  107c) 

For  those  teleprocessing  systems  used  during  classified  processing  periods; 

Schematic  diagram  or  description  of  teleprocessing  configuration  and 
communications  interfaces  (i.e.,  controllers,  modems,  multiplexors,  channel 
couplers,  data  code  converters,  communications  subsystems,  etc.). 

Type  of  remote  I/O  devices  and  general  usage  of  each  (i.e.,  portable, 
stationary,  intelligent,  keyboard,  CRT,  printer,  card  reader,  analog,  batch, 
interactive,  etc.). 

Type  of  communications  circuits  to  central  computer  facility  (i.e., 
dial-up,  dedicated,  wirelines,  fiber  optics,  etc.).  (Para  109) 

Classified  information  protected  by  CRYPTOGRAPHIC  communications  circuits 
or  hardened  lines.  If  latter,  describe  installation,  physical  protection  and 
line  surveillance.  (Para  109  and  112c(4)) 

Message  verification  procedures  and  routing  control  methods  used. 

Procedure  if  remote  terminals  used  to  modify  classified  parameters 
(data,  program,  or  passwords) . 

PERSONNEL  (Para  105) 

Personnel  access  controls  to  central  computer  facility  and  remote  terminal 
areas  during  working  and  nonworking  hours.  (Para  112c(2)  and  112c(5)(c)) 
System  users  (Para  105a) 


System  support  personnel  (Para  105b) 

Visitor  controls  and  escorting  procedures  (Para  105c  and  ll2c(5)(j)) 

Security  education  program  for  system  personnel  (ie.,  briefings,  how 
and  where  records  maintained,  etc) .  (Para  105d  and  I08d) 

PHYSICAL  (Para  106) 

Describe  physical  safeguard  characteristics  of  the  areas  where  equipment 
and  material  is  located  (i.e.,  central  computer  facility,  terminal  areas, 
media  library,  communications  center,  etc.),  include  descriptions  of  walls, 
doors,  windows,  ceilings,  floors,  hardware,  door  locking  devices,  electrical 
power,  sprinklers,  etc.  If  several  computer  systems  are  located  within  the 
same  CCF  and  only  one  processes  classified  data,  describe  area  controls 
employed  to  protect  the  system  used  for  classified  processing.  (Para  112c(2)) 
Minimum  continuous  physical  protection  during  working  and  nonworking  hours 
if  area  controls  are  adjusted.  (Para  107) 

Opening  and  closing  of  central  computer  facility. 

GENERAL  ACCESS  CONTROLS 

Controls  which  restrict  access  to  the  system  and  to  classified  data  in  the 
system  during  classified  processing,  such  as:  (Para  102b(l)  and  (5)) 

Passwords  (Para  ll2c(5)(a)) 

Tables  of  user  identifications  and  authorized  files 
Isolation  of  users  to  dedicated  peripherals 
Appropriate  data  management  routines 
Memory  protect 
Etc . ,  etc . 

Procedures  to  detect  and  report  unauthorized  access  attempts  and  threats 
to  the  system  and  to  classified  files/data.  (Para  108a) 

User  responsibilities  for  submission  of  classified  jobs  and/or  data  for 
processing. 

Sign-on/sign-off  procedures  for  users  from  remote  terminals  during  classified 
processing  periods.  Provide  copy  of  user's  guide,  if  available.  (Para  112c(5)) 


OPERATING  PROCEDURES 


Start-up  procedures  for  classified  processing  (Para  112c(5) (i) .  Provide  copy 
of  check  lists,  if  available.  Emphasize  security  protection  features  such  as: 
Clear  area  of  unauthorized  personnel 
Establish  physical  safeguards 
Remove  old  media 

Disconnect  remotes,  verify  and  record 
Load  protected  copy  of  0/S 
Etc . ,  etc . 

Procedures  during  classified  processing.  Provide  copy  of  instructions 
or  check  lists  relevant  to  protection  of  classified  information,  if  available. 
Maintain  all  security  controls. 

Protection  and  handling  of  input  and  output. 

Emergency  procedures  is  case  of  system  crash,  abnormal  termination, 
compromise,  catastrophy,  unauthorized  access  to  system  or  areas,  security 
violations,  etc.  (Para  108b  and  108c) 

Generation  of  audit  trail  records. 

Etc.,  etc. 

Procedures  for  shut-down  of  classified  processing  (Para  112c(5)(i)). 

Provide  copy  of  operator  instructions  or  check  list  relevant  to  protection 
of  classified  information,  if  available. 

Clearance  of  internal  storage 

Removal  and  protection  of  dismountable  storage  media 
Removal  of  protected  copy  of  0/S 
Reconnect  remotes 
Etc . ,  etc . 


GENERAL  STORAGE,  PROTECTION  AND  CONTROL  (Para  102b(7)) 

Describe  security  containers  (and  indicate  where  located)  used  to 
safeguard  classified  materials  such  as  software,  input  data,  output  products, 
documentation,  printer  ribbons,  etc.). 

Control,  handling,  storage  and  marking  of  above  material.  (Para  112c(5) (f) 
and  (g) ) 

Back-up  procedures,  if  any,  for  classified  software  and  data  files. 

Library  procedures  for  control,  handling,  marking  and  accountability  of 


classified  media. 

Clearance  and  verification  of  storage  media  (i.e.,  memory,  internal  storage, 
buffers,  disk,  drum,  floppy  disk,  cassette,  etc.).  (Para  115) 

Declassification  and  verification  of  storage  media.  Identify  degaussing 
equipment  used.  (Para  116) 

Declassification  of  storage  media  and  buffers  prior  to  removal  of  equipment 
for  repair,  trade-in,  etc.  (Para  116) 

Declassification/destruction  of  damaged  media  such  as  cassettes,  disks,  drums, 
etc. 

Destruction  procedures  for  othermedia,  such  as  carbon  paper,  printer  ribbons, 
punched  cards ,  etc . 

AUDIT  TRAILS  (Para  111) 

List,  describe  and  provide  actual  exhibits  of  all  automatic  and  manual 
audit  trail  records  which  serve  as  a  documented  history  of  the  use  of  the  ADP 
system  during  classified  processing  periods.  Description  should  include 
how  produced,  on  what  media,  when,  and  explanation  of  any  codes  used. 

Examples  of  audit  trail  logs/records  include,  but  are  not  limited  to: 

Sign-off  sheets  obtained  from  maintenance  personnel  performing  software/ 
hardware  installation,  modification  and  routine  maintenance.  Sheets  indicate 
what  was  done,  why,  by  whom,  when,  and  if  any  classified  files  were  accessed. 
System  reliability  log  showing  system  availability  times  with  reasons  for 
being  "down". 

User  sign-on/sign-off  log  at  remote  terminals.  (Para  112c(5)(e)) 

Console  operator  log  of  functions  performed. 

Attempts  to  access  classified  files  by  unauthorized  users. 

Program/ system  abnormal  abort  actions. 

Special  use  of  system  for  generation  of  passwords,  change  of  system 
security  parameters,  etc. 

System  crashes,  system  regenerations  and  system  upgrades/ downgrades 
Inventory  of  all  classified  magnetic  media  (i.e.,  tapes,  disks,  cassettes, 
etc.)  Indicating  library  withdrawals,  returns,  scratches,  etc. 

List  of  all  classified  files  maintained  at  the  ADP  facility.  Listing 
should,  as  a  minimum,  contain  file  name  (I.D.),  classification  level, 
unclassified  title,  owner/user,  responsible  individual  type  media,  creation 
date,  last  action,  etc. 


Activity  against  classified  data  files  showing  date,  time  and  accessing 
job/program. 

Processing  anomalies  with  corrective  action  taken. 
Clearance/declassification  of  storage  media.  (Para  115  and  116) 
Certificates  of  media  destruction. 

Disconnects  of  remotes  and  peripherals. 


EMERGENCY  PLAN 


Describe  additional  procedures  not  covered  above  to  be  employed  in  case 
of  ADP  security  violation,  system  crash,  or  catastrophy  to  include: 
Personnel  to  notify 
Recovery  procedure 
Record  keeping  (logs) 

Protection  of  hardware  and  classified  information 
Control  of  uncleared  emergency  personnel 


SUBCONTRACTING  (Para  110) 


Facility  name,  address  and  Federal  Supply  Code  Number  of  subcontractor. 
Describe  arrangements  for  subcontracting  of  computer  time  and/or  services 
to/ from  another  cleared  contractor. 
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Lawrence  Livermore  National  Lab 

ATTN 

FC-1 
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ATTN 
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ATTN 
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ATTN:  Code  4720,  J.  Davis 

ATTN:  Code  4780 
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Air  Force  Geophysics  Laboratory 
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ATTN:  LID,  J.  Ramussen 
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Department  of  Commerce 
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